[MLUG] Using the Cisco VPN client on Linux

["McNutt, Justin M." <EMAIL:PROTECTED>]

> The person to ask is Justin McNutt. He did a great job stepping me through the 
> process, and VPN works fine from my home newtork through Tigernet.
> 
> If you wish, contact me off-list and I'll gladly provide you 
> with my config files. There are a few tricks that aren't obvious.

Thanks for the vote of confidence, Mark.  Using the Cisco VPN client on Linux is indeed a bit tricky, since Cisco lies to you, particularly if you're using wireless.  It took me *forever* to get the sequence of steps right.

<aside>
The Desktop Support Group in IATS (formerly known as LaDS) is tooling up for Linux support for things like VPN that we operate.  They're not quite ready yet, but it's coming.  Students, faculty, and staff using Linux as primary workstations have finally reached a critical mass that IATS is going to start devoting serious resources to it (beyond what the Networking and Server groups use internally).
</aside>

Okay, the VPN:

1)  Download a copy of the client (duh).  Get 4.6.xxx (revision/patch level makes no difference).  If you can't find a copy, let me know and I'll post a link to a copy I have.

2)  Untar/gzip it somewhere nice and clean, like ~root.  It will create a "vpnclient" directory with a bunch of source in it.  DO NOT EXTRACT OVER A PREVIOUS DIRECTORY!  Also, DO NOT USE A PREVIOUSLY-EXTRACTED SOURCE WITH A NEW KERNEL!  YOU WILL PAY A TERRIBLE PRICE IF YOU DO!

<ahem>

3)  'cd' into your shiny new source tree (hint, hint) and run the vpn_install script.  You must have the kernel-source RPM (or equiv) installed for it to work.  When it asks you if you want the VPN startup script to run at boot time, SAY NO!  ***IMPORTANT***

4)  'cd' to /etc/CiscoSystemsVPNClient/Profiles (this may be /etc/opt/cisco-vpnclient; it changed somewhere along the way) and copy "sample.pcf" to "tigernet.pcf".

5)  Edit tigernet.pcf.  *Edit* the appropriate lines shown below:

Description=Campus VPN TigerNet Group
Host=vpn1.missouri.edu
GroupName=tigernet
Username=YOUR-PAWPRINT
EnableNat=1
EnableLocalLAN=1

Now it's all set up.  To *USE* the VPN client, do the following, as root (of course).  YOU MUST DEDICATE A SHELL FOR THIS!  RUNNING THE VPN CLIENT IN THE BACKGROUND DOES WEIRD THINGS AND IS NOT RECOMMENDED!

a)  service vpnclient_init start

That will throw some errors about the kernel being tainted.  Don't worry about this.

b)  vpnclient connect tigernet

"tigernet" is the name of the .pcf file you created.  You can create other .pcf files for connecting to other groups, concentrators, whatever.  Each .pcf file is referred to as a "profile" in Cisco terminology.  Anyway, you will be prompted for a group password *once*, and a user password *every time*.  Press Ctrl-C in this windows/shell to terminate the VPN client when you are finished.

Long and drawn out, I know.  Sorry.  Once you have it built (and get used to rebuilding it every time you apply a kernel upgrade), it's not so bad.

For those of you who are bored already, stop here.  For those whose interest in these arcane procedures has been piqued, read on.

Q.  WHY CAN'T I LOAD THE KERNEL MODULE AT BOOT TIME?

A.  Because the startup process is non-deterministic.  Basically, the vpnclient kernel module needs the network connection that you're going to use to be already up and active when the module loads.  This is unlikely to be the case at boot time, since you may not have your wireless NIC set to start at boot time, or the module may load before "service network start" happens, or any number of things.  Plus, doing it "my" way means not having a tainted kernel except in the case where you're using the VPN.

In short, because it *always* works this way, and only *might* work doing it the easy way.

Q.  WHY DO I HAVE TO RE-EXTRACT THE WHOLE THING EVERY TIME?

A.  Because "make clean" doesn't work properly and some things are still used from the previous kernel and/or VPN client version.  When you build from a clean source, you get a module that is built properly for the currently-running kernel (assuming, of course, that the current kernel matches the source tree in /usr/src/linux-xxx).

Q.  THAT SOUNDS LIKE CRAP.  I'M GOING TO DO IT THE EASIER WAY.

A.  Well, that's not a question, but here's what you'll get, based on my experience.  Either the VPN client will completely fail to work, and you'll have no connectivity until you kill the client OR (strange), you'll only be able to send data packets smaller than about 1300 bytes (which means the data + VPN overhead can fit in a single TCP packet on Ethernet/802.11 without fragmentation).  Adjusting MTU sizes on either cipsec0, eth0, or wlan0 won't help you.  It just breaks in weird ways.  You can SSH into stuff, but 'ls' hangs.  Etc.  Weird stuff.

So just do it my way and if it still doesn't work, let me know and I'll try to find some time to come look at it.  If you have a laptop, even better, since I can meet you for lunch somewhere and hack on it, schedules permitting (read: "no promises").

--J

_______________________________________________
members mailing list
EMAIL:PROTECTED
http://mlug.missouri.edu/mailman/listinfo/members